x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32868

[GoVulnBot]

CVE-2024-32868 references github.com/zitadel/zitadel, which may be a Go module.

Description:
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-32868
• JSON: https://github.com/CVEProject/cvelist/tree/54e053253963a4a5e5f3ef13e34060159a4086b1/2024/32xxx/CVE-2024-32868.json
• advisory: GHSA-7j7j-66cv-m239
• web: https://github.com/zitadel/zitadel/releases/tag/v2.50.0
• Imported by: https://pkg.go.dev/github.com/zitadel/zitadel?tab=importedby

Cross references:

• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961 NOT_IMPORTABLE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489 NOT_IMPORTABLE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107 EFFECTIVELY_PRIVATE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155 EFFECTIVELY_PRIVATE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187 EFFECTIVELY_PRIVATE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368 NOT_IMPORTABLE
• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
      packages:
        - package: zitadel
summary: CVE-2024-32868 in github.com/zitadel/zitadel
cves:
    - CVE-2024-32868
references:
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.50.0
source:
    id: CVE-2024-32868

[gopherbot]

Change https://go.dev/cl/582535 mentions this issue: data/reports: batch add unreviewed reports

[tatianab]

Duplicate of #2788